Enum H1 Staff and Users email addresses and Lock accounts
14 Dec 2019 - CongRong
I found https://hackerone.com/sitemap.json a few months ago, but saw that only users starting with a were returned, but later I found out that it can be accessed via the parameter first Enumerate all users:
After I got the id of nearly 600,000 users, thinking about how to use this data to maximize the harm?
So I thought of three ideas:
By requesting the graphql interface, query the team that each user belongs to. Reverse this result into: List of companies-> Staff. (Unrestricted)
Merge all common email addresses with ids, and enumerate whether the email addresses exists in the registration interface. (Limited, but can be bypassed with more IPv6)
Finally, you can use the blasted email addresses to log-in to the interface and request more than 100+ wrong passwords to lock your account. XD
0x01 Company -> Staff:
After reversing, the staff corresponding to the company is generated:
So I have a list of 347 teams corresponding to 3488 staff XD
Under normal circumstances, the registered API will be frequency-limited, but can be bypassed by adding a large number of IPv6 enumerations:
Here only use gmail for testing, in fact, you can also add outlook, yahoo, mail.ru …
After enumerating 30k+ ID’s I stopped the testing, and 2887 of them returned with success: (ps. emmmm悄悄的说，后来我获取到了几万)
As such, for total 600k ID’s, we may be able to get at least tens thousands of valid email addresses.
0x03 Lock accounts:
After 100+ login attempts with incorrect passwords, the account was locked out successfully.
If I want to lock someone’s account, I just need to enumerate the email addresses and then loop the script. Because the session will be invalidated after being locked, and the unlock token is unique each time it is locked.